Friday, January 21, 2011

Today's review lab: MPLS L3 Vpns

Hi all,

today I did a review lab on mpls vpns.

Here is the topology, a nice pyramid form:


and here is the .net file, you may adapt it to your ios path.

.net file [+/-]


autostart = False
[localhost:7200]
workingdir = /tmp
udp = 10000
[[3725]]
ghostios = True
image = /opt/IOS/c3725-adventerprisek9-mz.124-15.T10.bin
ram = 256
sparsemem = True
idlepc = 0x60c056e4
[[ROUTER R1]]
model = 3725
console = 20001
f0/0 = R2 f0/0
f0/1 = R3 f0/0
[[ROUTER R2]]
model = 3725
console = 20002
f0/0 = R1 f0/0
f0/1 = R3 f0/1
slot1 = NM-1FE-TX
f1/0 = R4 f0/0
slot2 = NM-1FE-TX
f2/0 = R5 f0/0
[localhost:7201]
workingdir = /tmp
udp = 10100
[[3725]]
ghostios = True
image = /opt/IOS/c3725-adventerprisek9-mz.124-15.T10.bin
ram = 256
sparsemem = True
idlepc = 0x60c056e4
[[ROUTER R3]]
model = 3725
console = 20003
f0/0 = R1 f0/1
f0/1 = R2 f0/1
slot1 = NM-1FE-TX
f1/0 = R5 f1/0
slot2 = NM-1FE-TX
f2/0 = R6 f0/0
[[ROUTER R5]]
model = 3725
console = 20005
f0/0 = R2 f2/0
f0/1 = R4 f0/1
slot1 = NM-1FE-TX
f1/0 = R3 f1/0
slot2 = NM-1FE-TX
f2/0 = R6 f0/1
[localhost:7202]
workingdir = /tmp
udp = 10200
[[3725]]
ghostios = True
image = /opt/IOS/c3725-adventerprisek9-mz.124-15.T10.bin
ram = 256
sparsemem = True
idlepc = 0x60c056e4
[[ROUTER R6]]
model = 3725
console = 20006
f0/0 = R3 f2/0
f0/1 = R5 f2/0
[localhost:7203]
workingdir = /tmp
udp = 10300
[[3725]]
ghostios = True
image = /opt/IOS/c3725-adventerprisek9-mz.124-15.T10.bin
ram = 256
sparsemem = True
idlepc = 0x60c056e4
[[ROUTER R4]]
model = 3725
console = 20004
f0/0 = R2 f1/0
f0/1 = R5 f0/1



Tasks:
-configure mpls backbone between R2 - R3 - R5 using ospf process 1 and mpBGP as 10
-configure mpls vpn customers on R1 - R4 - R6 using eigrp as 100 on R1, ospf process 2 on R6 and BGP as 400 on R4
-avoid customers route looping in the mpls core

Here are the initial configs, as you can see I used only legacy technology (IPv4) for this lab :-D

Initial config [+/-]


#### R1 initial config ###
hostname R1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.12.1 255.255.255.0
no shut
!
interface FastEthernet0/1
ip address 10.0.13.1 255.255.255.0
no shut
end
#### END R1 initial config ###

#### R2 initial config ###
hostname R2
!
ip vrf R1
rd 1:2
!
ip vrf R4
rd 4:2
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip vrf forwarding R1
ip address 10.0.12.2 255.255.255.0
no shut
!
interface FastEthernet0/1
ip address 10.0.23.2 255.255.255.0
no shut
!
interface FastEthernet1/0
ip vrf forwarding R4
ip address 10.0.24.2 255.255.255.0
no shut
!
interface FastEthernet2/0
ip address 10.0.25.2 255.255.255.0
no shut
#### END R2 initial config ###

#### R3 initial config ###
hostname R3
!
ip vrf R1
rd 1:3
!
ip vrf R6
rd 6:3
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
ip vrf forwarding R1
ip address 10.0.13.3 255.255.255.0
no shut
!
interface FastEthernet0/1
ip address 10.0.23.3 255.255.255.0
no shut
!
interface FastEthernet1/0
ip address 10.0.35.3 255.255.255.0
no shut
!
interface FastEthernet2/0
ip vrf forwarding R6
ip address 10.0.36.3 255.255.255.0
no shut
end
#### END R3 initial config ###

#### R4 initial config ###
hostname R4
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.24.4 255.255.255.0
no shut
!
interface FastEthernet0/1
ip address 10.0.45.4 255.255.255.0
no shut
end
#### END R4 initial config ###

#### R5 initial config ###
hostname R5
!
ip vrf R4
rd 4:5
!
ip vrf R6
rd 6:5
!
interface Loopback0
ip address 5.5.5.5 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.25.5 255.255.255.0
no shut
!
interface FastEthernet0/1
ip vrf forwarding R4
ip address 10.0.45.5 255.255.255.0
no shut
!
interface FastEthernet1/0
ip address 10.0.35.5 255.255.255.0
no shut
!
interface FastEthernet2/0
ip vrf forwarding R6
ip address 10.0.56.5 255.255.255.0
no shut
end
#### END R5 initial config ###

#### R6 initial config ###
hostname R6
!
interface Loopback0
ip address 6.6.6.6 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.36.6 255.255.255.0
no shut
!
interface FastEthernet0/1
ip address 10.0.56.6 255.255.255.0
no shut
end
#### END R6 initial config ###


Please note that I used different RD on the vrfs, to avoid bgp bestpath selection problems during the import/export part later.

Let's start configuring the mpls backbone:
on R2:

mpls label range 2000 2999
mpls label protocol ldp
!
interface FastEthernet0/1
mpls ip
!
interface FastEthernet2/0
mpls ip
!
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 10.0.23.0 0.0.0.255 area 0
network 10.0.25.0 0.0.0.255 area 0
!
router bgp 10
template peer-session IBGP
remote-as 10
update-source Loopback0
exit-peer-session
!
bgp router-id 2.2.2.2
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 3.3.3.3 inherit peer-session IBGP
neighbor 5.5.5.5 inherit peer-session IBGP
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community both
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community both
exit-address-family
!
address-family ipv4 vrf R4
no synchronization
exit-address-family
!
address-family ipv4 vrf R1
no synchronization
exit-address-family
!
mpls ldp router-id Loopback0 force

I used the template-peer on R2, just to have a little practice on it, no special meanings in this scenario.

on R3:

mpls label range 3000 3999
mpls label protocol ldp
!
interface FastEthernet0/1
mpls ip
!
interface FastEthernet1/0
mpls ip
!
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 10.0.23.0 0.0.0.255 area 0
network 10.0.35.0 0.0.0.255 area 0
!
router bgp 10
bgp router-id 3.3.3.3
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor IBGP peer-group
neighbor IBGP remote-as 10
neighbor IBGP update-source Loopback0
neighbor 2.2.2.2 peer-group IBGP
neighbor 5.5.5.5 peer-group IBGP
!
address-family vpnv4
neighbor IBGP send-community both
neighbor 2.2.2.2 activate
neighbor 5.5.5.5 activate
exit-address-family
!
address-family ipv4 vrf R6
no synchronization
exit-address-family
!
address-family ipv4 vrf R1
no synchronization
exit-address-family
!
mpls ldp router-id Loopback0 force


on R5:

mpls label range 5000 5999
mpls label protocol ldp
!
interface FastEthernet0/0
mpls ip
!
interface FastEthernet1/0
mpls ip
!
router ospf 1
router-id 5.5.5.5
log-adjacency-changes
network 5.5.5.5 0.0.0.0 area 0
network 10.0.25.0 0.0.0.255 area 0
network 10.0.35.0 0.0.0.255 area 0
!
router bgp 10
bgp router-id 5.5.5.5
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 10
neighbor 2.2.2.2 update-source Loopback0
neighbor 3.3.3.3 remote-as 10
neighbor 3.3.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community both
exit-address-family
!
address-family ipv4 vrf R6
no synchronization
exit-address-family
!
address-family ipv4 vrf R4
no synchronization
exit-address-family
!
mpls ldp router-id Loopback0 force


Then the CE-PE routing:
on R1:

router eigrp 100
network 1.1.1.1 0.0.0.0
network 10.0.12.0 0.0.0.255
network 10.0.13.0 0.0.0.255
no auto-summary
eigrp router-id 1.1.1.1


on R4:

router bgp 400
no synchronization
bgp router-id 4.4.4.4
bgp log-neighbor-changes
network 4.4.4.4 mask 255.255.255.255
network 10.0.24.0 mask 255.255.255.0
network 10.0.45.0 mask 255.255.255.0
neighbor 10.0.24.2 remote-as 10
neighbor 10.0.24.2 send-community both
neighbor 10.0.45.5 remote-as 10
neighbor 10.0.45.5 send-community both
no auto-summary


on R6:

router ospf 2
router-id 6.6.6.6
log-adjacency-changes
network 6.6.6.6 0.0.0.0 area 0
network 10.0.36.0 0.0.0.255 area 0
network 10.0.56.0 0.0.0.255 area 0


Nothing special on customer side, on the provider side you need:

on R2:

router eigrp 1
auto-summary
!
address-family ipv4 vrf R1
redistribute bgp 10 metric 100000 100 255 1 1500
network 10.0.12.0 0.0.0.255
no auto-summary
autonomous-system 100
eigrp router-id 2.2.2.2
exit-address-family
!
router bgp 10
address-family ipv4 vrf R4
neighbor 10.0.24.4 remote-as 400
neighbor 10.0.24.4 activate
neighbor 10.0.24.4 send-community both
no synchronization
exit-address-family
!
address-family ipv4 vrf R1
redistribute eigrp 100
no synchronization
exit-address-family


on R3:

router eigrp 1
auto-summary
!
address-family ipv4 vrf R1
redistribute bgp 10 metric 100000 100 255 1 1500
network 10.0.13.0 0.0.0.255
no auto-summary
autonomous-system 100
eigrp router-id 3.3.3.3
exit-address-family
!
router ospf 2 vrf R6
router-id 10.0.36.3
log-adjacency-changes
redistribute bgp 10 subnets
network 10.0.36.0 0.0.0.255 area 0
!
router bgp 10
address-family ipv4 vrf R6
redistribute ospf 2 vrf R6
no synchronization
exit-address-family
!
address-family ipv4 vrf R1
redistribute eigrp 100
no synchronization
exit-address-family


on R5:

router ospf 2 vrf R6
router-id 10.0.56.5
log-adjacency-changes
redistribute bgp 10 subnets
network 10.0.56.0 0.0.0.255 area 0
!
router bgp 10
address-family ipv4 vrf R6
redistribute ospf 2 vrf R6
no synchronization
exit-address-family
!
address-family ipv4 vrf R4
neighbor 10.0.45.4 remote-as 400
neighbor 10.0.45.4 activate
neighbor 10.0.45.4 send-community both
no synchronization
exit-address-family


Now it's time to play with import/export on vrfs, as you may noticed, on the initial config there where no import/export route-targets.
Let's say that:
-R1 customer must reach R4 prefixes through R3 and R5 (and viceversa)
-R1 customer must reach R6 prefixes through R2 and R5 (and viceversa)

You can obtain this with mpls Traffic Engineering too, but this time I want to test selective imports/exports

Let's configure our PE routes:
on R2:

ip vrf R1
rd 1:2
route-target export 1:2
route-target import 6:5


on R3:

ip vrf R1
rd 1:3
route-target export 1:3
route-target import 4:5


on R5:

ip vrf R4
rd 4:5
route-target export 4:5
route-target import 1:3
!
ip vrf R6
rd 6:5
route-target export 6:5
route-target import 1:2


With this configuration I expect the traffic flowing in this way:


But what happens on R1 customer site? Well, since I'm using two different entry points without any filter in import and export on vrf R1, it happens that R4 routes are exported on R2 as rd:1:2 too, and R6 routes are exported on R3 as rt:1:3.
So R4 and R6 gain an unwanted connectivity:
R4#sh ip route  | beg Gate
Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 [20/0] via 10.0.45.5, 00:27:31
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0
6.0.0.0/32 is subnetted, 1 subnets
B 6.6.6.6 [20/0] via 10.0.45.5, 00:27:31
10.0.0.0/24 is subnetted, 6 subnets
B 10.0.12.0 [20/0] via 10.0.45.5, 00:27:31
B 10.0.13.0 [20/0] via 10.0.45.5, 00:27:31
C 10.0.24.0 is directly connected, FastEthernet0/0
C 10.0.45.0 is directly connected, FastEthernet0/1
B 10.0.36.0 [20/0] via 10.0.45.5, 00:27:31
B 10.0.56.0 [20/0] via 10.0.45.5, 00:27:31
R4#traceroute 6.6.6.6

Type escape sequence to abort.
Tracing the route to 6.6.6.6

1 10.0.45.5 8 msec 8 msec 4 msec
2 10.0.13.3 [AS 10] [MPLS: Label 3004 Exp 0] 16 msec 8 msec 16 msec
3 10.0.13.1 [AS 10] 20 msec 20 msec 16 msec
4 10.0.12.2 [AS 10] 20 msec 16 msec 24 msec
5 10.0.56.5 [AS 10] [MPLS: Label 5003 Exp 0] 28 msec 28 msec 24 msec
6 10.0.56.6 [AS 10] 32 msec * 48 msec
R4#


ok and how to fix it? well, Site of Origin, also called SoO is not a solution here, mainly because we have different RDs, so mpbgp doesn't find the same SoO extended community on vpnv4 vrfs.

We can filter exports using an export map! Again, no luck, this solution won't work, since if a prefix-list is not matched, the prefix is not blocked. Export maps are used only to set additional route targets to an exported prefix.

A dirty and quick solution can be filter internal eigrp routes during redistribution on mpbgp:

On R2 and on R3:

router bgp 10
address-family ipv4 vrf R1
redistribute eigrp 100 route-map EIGRP>BGP
!
route-map EIGRP>BGP permit 10
match route-type internal

In this way R4 and R6 haven't that l00ped reachability:

R4#sh ip route | b Gate
Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 [20/0] via 10.0.45.5, 19:55:19
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 4 subnets
B 10.0.12.0 [20/0] via 10.0.45.5, 19:55:19
B 10.0.13.0 [20/0] via 10.0.45.5, 19:55:19
C 10.0.24.0 is directly connected, FastEthernet0/0
C 10.0.45.0 is directly connected, FastEthernet0/1
R4#


Another solution can involve the use of Import maps, but this will force you to filter with a prefix-list the prefixes to import and to deny, not exactly scalable on large customers.


As final, now we need connectivity from R4 to R6 passing through R2 and R3, the configuration is a little bit different, since R4 is running BGP and receives routes from mpBGP as 10. The routes R1 aren't re-imported back on R2, due to BGP same-as loop avoidance.

on R2

ip vrf R4
rd 4:2
route-target export 4:2
route-target import 6:3


on R3:

ip vrf R6
rd 6:3
route-target export 6:3
route-target import 4:2
!
router bgp 10
address-family ipv4 vrf R6
redistribute ospf 2 vrf R6 route-map OSPF>BGP
route-map OSPF>BGP permit 10
match route-type internal


on R5, to avoid re-export with rt 6:5...

router bgp 10
address-family ipv4 vrf R6
redistribute ospf 2 vrf R6 route-map OSPF>BGP
route-map OSPF>BGP permit 10
match route-type internal


OK, now from customers can reach each others using the required paths.

R4#traceroute 1.1.1.1

Type escape sequence to abort.
Tracing the route to 1.1.1.1

1 10.0.45.5 8 msec 8 msec 4 msec
2 10.0.13.3 [AS 10] [MPLS: Label 3003 Exp 0] 24 msec 12 msec 12 msec
3 10.0.13.1 [AS 10] 20 msec * 12 msec
R4#traceroute 6.6.6.6

Type escape sequence to abort.
Tracing the route to 6.6.6.6

1 10.0.24.2 24 msec 4 msec 8 msec
2 10.0.36.3 [AS 10] [MPLS: Label 3004 Exp 0] 16 msec 8 msec 8 msec
3 10.0.36.6 [AS 10] 20 msec * 28 msec
R4#

R1#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

1 10.0.13.3 4 msec 12 msec 4 msec
2 10.0.45.5 [MPLS: Label 5008 Exp 0] 12 msec 8 msec 8 msec
3 10.0.45.4 16 msec * 40 msec
R1#traceroute 6.6.6.6

Type escape sequence to abort.
Tracing the route to 6.6.6.6

1 10.0.12.2 20 msec 8 msec 8 msec
2 10.0.56.5 [MPLS: Label 5003 Exp 0] 8 msec 16 msec 8 msec
3 10.0.56.6 16 msec * 32 msec
R1#

R6#traceroute 1.1.1.1

Type escape sequence to abort.
Tracing the route to 1.1.1.1

1 10.0.56.5 32 msec 12 msec 4 msec
2 10.0.12.2 [MPLS: Label 2003 Exp 0] 24 msec 8 msec 12 msec
3 10.0.12.1 20 msec * 28 msec
R6#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

1 10.0.36.3 8 msec 8 msec 4 msec
2 10.0.24.2 [MPLS: Label 2009 Exp 0] 8 msec 8 msec 12 msec
3 10.0.24.4 16 msec * 20 msec
R6#


Note also that there's no backup connectivity in case of one customer loose a PE exit point, so this is absolutely NOT a best practice, it's just a lab.
:-D

have a nice weekend
Marco

No comments: